djpbessems/Packer.Images
djpbessems/Packer.Images
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

build: Rebase pinniped to bitnami helm chart
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Danny Bessems 2023-08-22 12:02:13 +02:00
parent b17501ee1d
commit 1a1440f751
15 changed files with 216 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ansible/roles/assets/tasks/containerimages.yml
View File

@ -14,15 +14,6 @@
loop_control: loop_control:
label: "{{ item.dest | basename }}" label: "{{ item.dest | basename }}"
- name: Parse pinniped manifests for container images
ansible.builtin.shell:
# The pinniped manifest specify container images with *both* tag and digest; which is not supported by skopeo
cmd: cat {{ item.dest }} | yq --no-doc eval '.. | .image? | select(.) | sub("@.*", "")' | awk '!/ /'
register: pinniped_parsedmanifests
loop: "{{ pinniped_manifests.results }}"
loop_control:
label: "{{ item.dest | basename }}"
- name: Parse metacluster helm charts for container images - name: Parse metacluster helm charts for container images
ansible.builtin.shell: ansible.builtin.shell:
cmd: "{{ item.value.helm.parse_logic }}" cmd: "{{ item.value.helm.parse_logic }}"
@ -52,8 +43,6 @@
results: "{{ kubeadmimages.stdout_lines }}" results: "{{ kubeadmimages.stdout_lines }}"
- source: clusterapi - source: clusterapi
results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}" results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
- source: pinniped
results: "{{ pinniped_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
loop_control: loop_control:
label: "{{ item.source }}" label: "{{ item.source }}"
@ -75,4 +64,4 @@
docker://{{ item }} \ docker://{{ item }} \
docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }} docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
chdir: /opt/metacluster/container-images chdir: /opt/metacluster/container-images
loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}" loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + dependencies.container_images) | flatten | unique | sort }}"

1
ansible/roles/assets/tasks/main.yml
View File

@ -16,7 +16,6 @@
- /opt/metacluster/helm-charts - /opt/metacluster/helm-charts
- /opt/metacluster/k3s - /opt/metacluster/k3s
- /opt/metacluster/kube-vip - /opt/metacluster/kube-vip
- /opt/metacluster/pinniped
- /opt/workloadcluster/git-repositories/gitops/charts - /opt/workloadcluster/git-repositories/gitops/charts
- /opt/workloadcluster/git-repositories/gitops/values - /opt/workloadcluster/git-repositories/gitops/values
- /opt/workloadcluster/helm-charts - /opt/workloadcluster/helm-charts

26
ansible/roles/assets/tasks/manifests.yml
View File

@ -16,8 +16,7 @@
{ 'components': ( { 'components': (
metacluster_chartvalues | metacluster_chartvalues |
combine({ 'clusterapi': components.clusterapi }) | combine({ 'clusterapi': components.clusterapi }) |
combine({ 'kubevip' : components.kubevip }) | combine({ 'kubevip' : components.kubevip }) ),
combine({ 'pinniped' : components.pinniped }) ),
'appliance': { 'appliance': {
'version': (applianceversion) 'version': (applianceversion)
} }
@ -100,29 +99,6 @@
delay: 5 delay: 5
until: kubevip_manifest is not failed until: kubevip_manifest is not failed
- name: Download pinniped manifests
ansible.builtin.get_url:
url: "{{ item.url }}"
dest: /opt/metacluster/pinniped/{{ item.dest }}
register: pinniped_manifests
loop:
# The 'supervisor' runs in the metacluster and handles authentication
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-supervisor.yaml
dest: pinniped-supervisor.yaml
# The 'local-user-authenticator' can be used to run a simple OIDC provider based on useraccounts defined in secrets.
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-local-user-authenticator.yaml
dest: local-user-authenticator.yaml
# The 'concierge' runs in downstream clusters and forwards authentication requests
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-crds.yaml
dest: pinniped-concierge-crds.yaml
- url: https://github.com/vmware-tanzu/pinniped/releases/download/{{ components.pinniped.version }}/install-pinniped-concierge-resources.yaml
dest: pinniped-concierge-resources.yaml
loop_control:
label: "{{ item.dest }}"
retries: 5
delay: 5
until: pinniped_manifests is not failed
# - name: Inject manifests # - name: Inject manifests
# ansible.builtin.template: # ansible.builtin.template:
# src: "{{ item.type }}.j2" # src: "{{ item.type }}.j2"

158
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
View File

@ -1,37 +1,125 @@
- name: Trim container image digests - block:
ansible.builtin.lineinfile: - name: Install dex
path: "{{ item }}" kubernetes.core.helm:
regexp: "([ ]+image: (.*))@sha256:.*" name: dex
line: "\\1" chart_ref: /opt/metacluster/helm-charts/dex
state: present release_namespace: dex
backrefs: yes create_namespace: true
loop: "{{ query('ansible.builtin.fileglob', '/opt/metacluster/pinniped/*.yaml') }}" wait: false
kubeconfig: "{{ kubeconfig.path }}"
values: "{{ components['dex'].chart_values }}"
- name: Install supervisor - block:
kubernetes.core.k8s:
src: /opt/metacluster/pinniped/pinniped-supervisor.yaml
state: present
wait: yes
kubeconfig: "{{ kubeconfig.path }}"
- name: Add ingress for supervisor - name: Install pinniped chart
kubernetes.core.k8s: kubernetes.core.helm:
template: "ingressroute.j2" name: pinniped
state: present chart_ref: /opt/metacluster/helm-charts/pinniped
kubeconfig: "{{ kubeconfig.path }}" release_namespace: pinniped
vars: create_namespace: true
_template: wait: false
name: pinniped-supervisor-api kubeconfig: "{{ kubeconfig.path }}"
namespace: pinniped-supervisor values: "{{ components['pinniped'].chart_values }}"
config: |2
entryPoints: - name: Add ingress for supervisor
- web kubernetes.core.k8s:
- websecure template: "{{ item.kind }}.j2"
routes: state: present
- kind: Rule kubeconfig: "{{ kubeconfig.path }}"
match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`) vars:
services: _template:
- kind: Service name: "{{ item.name }}"
name: pinniped-supervisor-api namespace: "{{ item.namespace }}"
namespace: pinniped-supervisor config: "{{ item.config }}"
port: 443 loop:
- kind: ingressroute
name: pinniped-supervisor
namespace: pinniped-supervisor
spec: |2
entryPoints:
- web
- websecure
routes:
- kind: Rule
match: Host(`auth.{{ vapp['metacluster.fqdn'] }}`)
services:
- kind: Service
name: pinniped-supervisor
namespace: pinniped-supervisor
port: 443
scheme: https
serversTransport: pinniped-supervisor
- kind: serverstransport
name: pinniped-supervisor
namespace: pinniped-supervisor
spec: |2
insecureSkipVerify: true
serverName: auth.{{ vapp['metacluster.fqdn'] }}
- name: Ensure pinniped API availability
ansible.builtin.uri:
url: https://auth.{{ vapp['metacluster.fqdn'] }}/healthz
method: GET
register: api_readycheck
until:
- api_readycheck.status == 200
- api_readycheck.msg is search("OK")
retries: "{{ playbook.retries }}"
delay: "{{ ((storage_benchmark | float) * playbook.delay.short) | int }}"
# TODO: Migrate to step-ca
- name: Initialize tempfile
ansible.builtin.tempfile:
state: directory
register: certificate
- name: Create private key (RSA, 4096 bits)
community.crypto.openssl_privatekey:
path: "{{ certificate.path }}/certificate.key"
- name: Create self-signed certificate
community.crypto.x509_certificate:
path: "{{ certificate.path }}/certificate.crt"
privatekey_path: "{{ certificate.path }}/certificate.key"
provider: selfsigned
- name: Store self-signed certificate for use by pinniped supervisor
kubernetes.core.k8s:
template: secret.j2
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
name: pinniped-supervisor-tls
namespace: pinniped-supervisor
type: kubernetes.io/tls
data:
- tls.crt: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}"
- tls.key: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}"
# TODO: Migrate to step-ca
- name: Create pinniped resources
kubernetes.core.k8s:
template: "{{ item.kind }}.j2"
state: present
kubeconfig: "{{ kubeconfig.path }}"
vars:
_template:
name: "{{ item.name }}"
namespace: "{{ item.namespace }}"
config: "{{ item.config }}"
loop:
- kind: oidcidentityprovider
name: dex-staticpasswords
namespace: pinniped-supervisor
ca_bundle:
issuer:
- kind: federationdomain
name: metacluster-sso
namespace: pinniped-supervisor
spec: |2
issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/demo-issuer
tls:
secretName: pinniped-supervisor-tls

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
View File

@ -82,7 +82,7 @@
_template: _template:
name: step-ca name: step-ca
namespace: step-ca namespace: step-ca
config: |2 spec: |2
entryPoints: entryPoints:
- websecure - websecure
routes: routes:

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/git.yml
View File

@ -32,7 +32,7 @@
_template: _template:
name: gitea-ssh name: gitea-ssh
namespace: gitea namespace: gitea
config: |2 spec: |2
entryPoints: entryPoints:
- ssh - ssh
routes: routes:

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/ingress.yml
View File

@ -27,7 +27,7 @@
_template: _template:
name: traefik-dashboard name: traefik-dashboard
namespace: kube-system namespace: kube-system
config: |2 spec: |2
entryPoints: entryPoints:
- web - web
- websecure - websecure

7
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/federationdomain.j2 Normal file
View File

@ -0,0 +1,7 @@
apiVersion: config.supervisor.pinniped.dev/v1alpha1
kind: FederationDomain
metadata:
name: {{ _template.name }}
namespace: {{ _template.namespace }}
spec:
{{ _template.spec }}

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ingressroute.j2
View File

@ -4,4 +4,4 @@ metadata:
name: {{ _template.name }} name: {{ _template.name }}
namespace: {{ _template.namespace }} namespace: {{ _template.namespace }}
spec: spec:
{{ _template.config }} {{ _template.spec }}

2
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/ingressroutetcp.j2
View File

@ -4,4 +4,4 @@ metadata:
name: {{ _template.name }} name: {{ _template.name }}
namespace: {{ _template.namespace }} namespace: {{ _template.namespace }}
spec: spec:
{{ _template.config }} {{ _template.spec }}

11
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/oidcidentityprovider.j2 Normal file
View File

@ -0,0 +1,11 @@
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
name: {{ _template.name }}
namespace: {{ _template.namespace }}
spec:
issuer: {{ _template.issuer }}
tls:
certificateAuthorityData: {{ template.ca_bundle }}
client:
secretName: {{ _template.client_secret }}

3
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2
View File

@ -3,6 +3,9 @@ kind: Secret
metadata: metadata:
name: {{ _template.name }} name: {{ _template.name }}
namespace: {{ _template.namespace }} namespace: {{ _template.namespace }}
{% if _template.type is defined %}
type: {{ _template.type }}
{% endif %}
data: data:
{% for kv_pair in _template.data %} {% for kv_pair in _template.data %}
"{{ kv_pair.key }}": {{ kv_pair.value }} "{{ kv_pair.key }}": {{ kv_pair.value }}

7
ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/serverstransport.j2 Normal file
View File

@ -0,0 +1,7 @@
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: {{ _template.name }}
namespace: {{ _template.namespace }}
spec:
{{ _template.spec }}

49
ansible/vars/metacluster.yml
View File

@ -33,6 +33,10 @@ platform:
helm_repositories: helm_repositories:
- name: argo - name: argo
url: https://argoproj.github.io/argo-helm url: https://argoproj.github.io/argo-helm
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: dexidp
url: https://charts.dexidp.io
- name: gitea-charts - name: gitea-charts
url: https://dl.gitea.io/charts/ url: https://dl.gitea.io/charts/
- name: harbor - name: harbor
@ -93,6 +97,38 @@ components:
node_template: node_template:
url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.27.1.ova url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.27.1.ova
dex:
helm:
version: 0.15.3 # (= Dex 2.37.0)
chart: dexidp/dex
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
chart_values: !unsafe |
config:
issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
storage:
type: kubernetes
config:
inCluster: true
staticClients:
- id: pinniped-supervisor
secret: pinniped-supervisor-secret
name: Pinniped Supervisor client
redirectURIs:
- https://auth.{{ vapp['metacluster.fqdn'] }}/callback
enablePasswordDB: true
staticPasswords:
- email: admin@{{ vapp['metacluster.fqdn'] }}
hash: {{ vapp['metacluster.password'] | password_hash('bcrypt') }}
username: admin
userID: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | to_uuid }}
ingress:
enabled: true
hosts:
- host: idps.{{ vapp['metacluster.fqdn'] }}
paths:
- path: /
pathType: Prefix
gitea: gitea:
helm: helm:
version: v7.0.2 # (= Gitea v1.18.3) version: v7.0.2 # (= Gitea v1.18.3)
@ -198,8 +234,17 @@ components:
defaultClassReplicaCount: 1 defaultClassReplicaCount: 1
pinniped: pinniped:
# Must match the version referenced at `dependencies.static_binaries[.filename==pinniped].url` helm:
version: v0.25.0 version: 1.2.11 # (= Pinniped v0.25.0)
chart: bitnami/pinniped
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
chart_values: !unsafe |
concierge:
enabled: false
supervisor:
service:
public:
type: ClusterIP
step-certificates: step-certificates:
helm: helm:

11
ansible/vars/workloadcluster.yml
View File

@ -1,6 +1,8 @@
downstream: downstream:
helm_repositories: helm_repositories:
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: longhorn - name: longhorn
url: https://charts.longhorn.io url: https://charts.longhorn.io
- name: sealed-secrets - name: sealed-secrets
@ -18,6 +20,15 @@ downstream:
createDefaultDiskLabeledNodes: true createDefaultDiskLabeledNodes: true
defaultDataPath: /mnt/blockstorage defaultDataPath: /mnt/blockstorage
pinniped:
helm:
version: 1.2.11 # (= Pinniped v0.25.0)
chart: bitnami/pinniped
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
chart_values: !unsafe |
supervisor:
enabled: false
sealed-secrets: sealed-secrets:
version: 2.8.1 # (= Sealed Secrets v0.20.2) version: 2.8.1 # (= Sealed Secrets v0.20.2)
chart: sealed-secrets/sealed-secrets chart: sealed-secrets/sealed-secrets